Spoofability verdict for time.com
No - time.com is not practically spoofable.
See the math
TIME.com has implemented a defense-in-depth email authentication posture that makes spoofing its domain genuinely difficult. This is a textbook example of how DMARC enforcement works in practice.
- DMARC p=reject (enforced): TIME's DMARC policy is set to reject, meaning any message claiming to be from time.com that fails DMARC validation is dropped by receiving mail servers before it reaches inboxes. This is the strongest possible policy.
- SPF -all (hardfail): The SPF record ends with -all, a hard fail. Any mail server not explicitly listed in their includes (Google, SendGrid, Zendesk, Amazon SES, UltiPro, Knowbe4, etc.) and the four specific IP ranges will be rejected as unauthorized. This prevents open relay abuse.
- DKIM at 3 selectors: TIME publishes DKIM keys on at least three selectors (google, s1, s2), allowing them to sign outgoing mail with cryptographic proof of origin. Recipients can verify these signatures; a spoofed message cannot produce valid DKIM signatures for time.com.
- MTA-STS missing: TIME does not publish an MTA-STS policy. This signal strengthens TLS enforcement in transit but is less critical given their strong DMARC and SPF posture. Its absence is a minor gap, not a failure.
What this means practically
An attacker cannot realistically impersonate time.com in a way that reaches recipient inboxes. Any spoofed message will fail DMARC alignment and be rejected outright by Gmail, Microsoft, Yahoo, and other major providers that respect DMARC p=reject. Even if a spoofed message somehow lands in a recipient's mailbox, DKIM verification will fail, signaling to email clients and security tools that the sender is unauthorized. The only realistic attack surface is against the authorized senders TIME has explicitly listed in their SPF record, but TIME controls those integrations directly.
Bottom line: TIME's email domain is well-defended and spoofing it would require breaking cryptographic DKIM signatures or compromising one of TIME's authorized mail service providers.
What we measured
Enforced
DMARC policy
p=reject
DMARC at p=reject (pct=100). Spoofed mail is rejected at SMTP.
Enforced
SPF posture
-all (hardfail)
SPF ends in -all (hardfail). Receivers reject mail from IPs not in the policy.
v=spf1 include:_spf.google.com include:_spf.psm.knowbe4.com include:_spf.ultipro.com include:u13624957.wl208.sendgrid.net include:mail.zendesk.com include:mail.cdsfulfillment.com include:amazonses.com ip4:54.236.128.150 ip4:54.236.109.30 ip4:204.115.118.33/27 ip4:149.72.199.98 ip4:149.72.231.47 -all
Enforced
DKIM presence
found at 3 selectors
DKIM key found at selectors: google, s1, s2.
Open
MTA-STS (transport)
missing
No MTA-STS policy. Inbound mail can be intercepted via DNS / MX downgrade.
How to make it un-spoofable
- Publish an MTA-STS policy in enforce mode + a TLS-RPT reporting endpoint.